Layer 7 DoS attacks

Unanswered Question
Jul 27th, 2011
User Badges:

Our vulnerability assessment has shown that we are potentially vulnerable to Layer 7 DoS attacks like slow http post ( or slow http headers (  I'm wondering if there is anything we can do at the ASA or IPS level to alleviate these potential issues?

TCP Intercept sounds like a possibility, but not sure if it's geared more toward a true DoS attack rather than these layer 7 types?

Here is what we've been told the weaknesses are and the recommended steps to mitigate the issue, but I'm not really sure where/how to do it:

1) Allowing a server connection to stay open for an unlimited amount of time (no absolute timeout)

-Solution: Apply an absolute timeout

2) Allowing excessive/unneeded content (no max data threshold)

-Solution: Apply a max data threshold based on the form requirements

3) Allowing message content to be sent separately at extremely slow speeds (no minimum speed rate)

-Solution: Apply acceptable minimum speed rate for requests

Any help or pointers would be greatly appreciated!

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
mirober2 Tue, 08/02/2011 - 06:05
User Badges:
  • Cisco Employee,

Hi Corey,

You can use conn limits on the ASA to some extent to help mitigate this. For example, you can apply a limit to allow clients to have only 1 or 2 HTTP conns at any time. This would only be effective if the attack came from a small number of sources. You could also apply a limit to the number of concurrent connections allowed to your web server at any time. Both of these methods would take some tuning as you need to set the limits at a level that is strict enough to prevent some of the attacks and be effective against a distributed attack, but high enough that you don't end up denying access to legitimate users as well.

You could also try setting a very low timeout for HTTP connections, but this again would be a bit of a balancing act since the attacker could dynamically adjust the rate of their requests. In addition, all of these methods are layer 4 mitigation techniques, which the attacks are specifically designed to circumvent.

All of the above would be done with the 'set connection {per-client-max|conn-max|timeout}' commands in a policy-map. See this link for more details:

As for a layer 7 defense, you could satisfy technique 2 that you mentioned (setting a max data limit). You could do this with the ASA's layer 7 HTTP inspection:

class-map http-class

   match port tcp eq 80

policy-map type inspect http http-map


    match request header content-length length gt 1000

      drop-connection log

policy-map global_policy

class http-class

  inspect http http-map

service-policy global_policy global

Other than that, it would be best to use a more dynamic detection method, such as an IPS. You may have better luck with help there over in our IPS/IDS community:

Hope that helps.


scotthendrickson Thu, 09/15/2011 - 07:37
User Badges:

Good morning....

Our appliance scanner found the same vulnerability and we are looking for ways to both mitigate the issue.  Microber....did you implement any of the techniques listed above on your ASA.  Did thy solve the issue from the appliance standpoint??

Thanks in advance for your feedback.

sauraban Thu, 02/16/2017 - 03:13
User Badges:
  • Cisco Employee,

Hi Experts,

Just wanted to confirm if we have a feature to limit to the box HTTPS connection limit . My customer is using clientless VPN and what he observed that when he did pan testing to launch slow http post attack on public IP of ASA ,after 4096 connection we see connections starts dropping.. on further analysing we notice that DMA memory of ASA is getting occupied

Device customer is using is 5525,


This Discussion